Avoiding False-Positive Virus Detection in Windows Apps

Published January 29, 2018 by
Geoff Perlman

Viruses continue to be a big problem on Windows. As a result, anti-virus software can be a bit over-zealous about detecting what it believes to be apps that have viruses embedded within them. We have had reports over the years that apps made with Xojo are sometimes falsely identified as being infected with a virus. This sometimes occurs because the 32-bit Xojo compiler puts executable code in a location where the anti-virus software doesn’t expect to find it. We’ve seen this occur even when users are debugging apps from the IDE. Fortunately in that case, there’s a fairly easy solution.

With the move to LLVM as the backend of our compiler, the format of our Windows executables changed somewhat. LLVM puts the executable code in a different location that doesn’t set off those same flags for anti-virus software. If you’re having problems with such false positives, recompiling your apps for 64-bit may solve the problem. Doing this is not a 100% guarantee but it can reduce the chances of a false-positive occurring.

This is even more true if you are using console-based helper apps especially if you’re launching multiple instances of them. Despite this being a known and often-used technique for taking advantage of multiple cores (and one we wrote about recently), it can make anti-virus software more suspicious. If your helper app has code that the anti-virus software thinks is in the wrong place, recompiling it for 64-bit may help.

Having said all of this, false is still false. If your apps (compiled for 32-bit or 64-bit) are falsely identified as having a virus, contact the anti-virus software company so they can update their software. Many have established protocols for reporting false positives.